How to Programmatically modify an existing Open LDAP objectclass using openLDAP library APIs for C language?

Question

I am writing an Identity and Access Management application in C programming language. So I use openLDAP for persisting user details and it provides a set of APIs to perform operations such as bind, add, search, modify etc. I created a new object class to hold my Application's user details as bellow,

attributetype ( 2.5.4.1 NAME 'id'
    DESC 'RFC2256: user identifier'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )

attributetype ( 2.5.4.2 NAME 'name'
    DESC 'RFC2256: user name'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )

attributetype ( 2.5.4.3 NAME 'email'
    DESC 'RFC2256: user mail address'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )


objectclass ( 2.5.4.4 NAME 'user'
    DESC 'user details'
    SUP top STRUCTURAL
    MUST id
    MAY ( name $ email ) )

Is it possible to add a new attribute 'phoneNumber' to the 'user' object class without directly editing schema file but by using APIs provided by openLDAP library?

Answer 1

The best practice would be to add an Auxiliary ObjectClass with no REQUIRED attributes and adding "MAY" attributes as needed.

After adding the AUX class to the Schema, then you can add, though a modify operation the AUX Class to any Structural ObjectClass entry as a ObjectClass value as desired.

This allows you to maintain the base schema intact.

-jim

Answer 2

Not what you've asked for. But it's important so others do not naively copy&paste this:

attributetype ( 2.5.4.*

[..]

objectclass ( 2.5.4.4 NAME 'user'

You're abusing OIDs already assigned to other schema descriptions. This is broken. You will not be able to load any data with that.

With OpenLDAP's dynamic configuration you can add/modify schema on the fly if you follow the rules in RFC 4512 for defining attribute types and object classes.

See also: cn=schema

Note that removing schema descriptions in case there's already existing data using it is a no-no.

Answer 3

The LDAP standards are written for schema to be Write Once Read Many data - once you set something, you can't unset it. As a result, many LDAP servers are very resistant to changing their schema elements like you're talking about.

Of course, for many of us, that attitude is an academic luxury we can't afford, so we do make changes to our schema, despite how much it horrifies our LDAP vendors.

However, we change our schema, not the standard schema. Changing standard objectclasses is a no-no, because whatever changes you make to the default standard will go away without warning sometimes when you update your LDAP server software. And even when restricting yourself to editing objectclasses that are yours to edit, you will still probably have to update the schema files directly and then have the ldap server load the new files, rather than just asking it nicely to update its schema elements.

Of course, different LDAP servers have different levels of orneriness on this. For example back when we used iPlanet LDAP, if I recall correctly, it would let us do a delete & add of an objectclass that wasn't in use, and make changes to it like that. (Don't use iPlanet LDAP; it was the product of a joint venture that fell apart over 15 years ago.)